With the implementation of GDPR and CCPA, every website has to have their own half-baked implementation of a cookie consent banner. For the uninitiated, these are the banners that appear at the bottom of webpages that say "Accept Cookies" or "Decline". These banners can sometimes take up half the viewport or not be responsive on mobile. Moreover, it's really common that these banners often have serious accessibility issues that might make them non-compliant.
There should be a better way.
What if browsers could have a similar native UX implementation for cookie consent as with getting access to the microphone, for example? The user experience I'm thinking about here is as follows: the user would be prompted in the browser context whether or not to allow access to cookies when navigating to a webpage. There's a lot of room in the design space here to make sure that the user is in control while minimizing the damage to the user experience on the web.
Before I get in to a few roadblocks I see, there could be ongoing work in this space, but some googling didn't help me here. If it's not being worked on, there's probably a few other reasons this hasn't been done yet (this is just a random thought I had), so please leave a comment if I've missed something.
Roadblock 1: Old browser versions
This is inevitably a huge roadblock. But we already have a bad patchwork of implementations, so it seems like that damage has been done here. Why not try to move towards a better standard?
Roadblock 2: Not granular enough
It's probable that a cookie interface for the browser wouldn't be granular enough to support all use cases (say, missing different levels of cookies to opt-in to). But, again, I think websites that want to support use cases outside of regulatory frameworks should probably implement their own interfaces. Getting 95% of the way there seems worth it.
Roadblock 3: Regulatory patchwork
This is probably the main roadblock for the near future. A lot of these laws are in their infancy, and many jurisdictions are considering their regulatory frameworks on data privacy right now.
This could be totally naive, but this could actually be an argument for writing a standard now. If there's a consistent standard that gets negotiated with all parties at the table, it would be way easier to lobby governments across the world that they should write regulation that matches the standard.
I'll just reiterate: I'm not super familiar with this area or what ongoing work or discussions have been had in the past here. Just sketching out some thoughts I had and found it difficult to find any information about decisions in this space.
Thanks for reading!
Top comments (7)
Great idea. I believe this should be done.
It's the legal responsibility of the website owner to ensure cookie legislation is acquired from the visitor and not the browser vendor.
Moving this to the browser is impractical due to the sheer number of browsers and versions.
Sheer number of browsers and versions? If you take the latest version of each, it must be about 50 max (see en.wikipedia.org/wiki/List_of_web_...) - vs the sheer number of websites (millions if not billions) going about this their own way with their own interpretation of the law(s)... Feels like putting it at browser level is by far the most sensible option - they can enforce the rules that way, and make sure that websites are compliant.
One of the reasons may be those super complicated tables of cookies you can allow or deny. A browser couldn’t handle those natively. Also there could be lots of potential of misuse. I‘d rather see that website stop using the unnecessary cookies in the first place, so they wouldn’t need those overlays at all.
if we think about how cookies work, we see that its more reasonable to be handled by browser. the browser actually sends them back to the site. this means a software that the user is using causes the problem (of privacy) and its users fault to send them not the webserver that only requests getting them. so as users agents, a good browser must be responsible and a bad one should be avoided.
For granularity a format could be produced that is stored in a text file at the root of website which lists the cookies and the categories they fall into and then the browsers could control on or off in a standardized way. The users could have defaults like accept them all, accept core and analytics etc and then fine tune them on a site by site basis.
Having control at the browser level would mean that a bug introduced on the site would not impact the privacy of a user.
The current approach of doing it at a site level seems like a swindle by the legal profession to make money.
cookies are standardized in browser and servers. i could be hard to patch the standard to allow for txt file and categories.
txt files also could get cached and tagged for each user in order to track them